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We define a testing equivalence in the spirit of De Nicola and Hennessy for reactive probabilistic 
processes, i.e. for processes where the internal nondeterminism is due to random behaviour We 
characterize the testing equivalence in terms of ready-traces. From the characterization it follows 
that the equivalence is insensitive to the exact moment in time in which an internal probabilistic 
choice occurs, which is inherent from the original testing equivalence of De Nicola and Hennessy. 
We also show decidability of the testing equivalence for finite systems for which the complete model 
may not be known. 

1 Introduction 

A central paradigm behind process semantics based on observability (e.g. [18] ) is that the exact moment 
an internal nondeterministic choice is resolved is unobservable. This is because an observer does not 
have insight into the internal structure of a process but only in its externally visible actions. Unobserv- 
ability of internal choice has been also achieved by the testing theory f/l fTTlf'l where two processes are 
treated equivalent iff they can not be distinguished when interacting with their environment (which is an 
arbitrary process itself). It is natural, therefore, for this property to hold when internal choice is quanti- 
fied with probabilities. It turned out, however, that it was not trivial to achieve unobservability of internal 
probabilistic choice in probabilistic testing theory. The following example illustrates some points that 
cause this problem. 

Consider a system consisting of a machine and a user, that communicate via a menu of two buttons 
"head" and "tail" positioned at the machine. The machine makes a fair choice whether to give a prize if 
"head" is chosen or if "tail" is chosen. The user can choose "head" or "tail" by pressing the appropriate 
button. If the user chooses the right outcome, a prize follows. Note that by no means the machine's 
choice could have been revealed beforehand to the user. The machine can be modeled by the process 
graph s in Fig. [T] That is, in half of the machine runs, it offers a prize after the "head" button has been 
pressed (out of the two-button menu "head" and "tail"), while in the other half of the runs it offer a prize 
after the "tail" button has been pressed (out of the two-button menu "head" and "tail"). The user can be 
modeled by process u in Fig. [T] Sometimes she would press "head" and sometimes "tail"; however, her 
goal is to win a prize, denoted by action p, and be "happy" afterwards, denoted by action ©. 

Let the user and the machine interact, i.e. let them synchronize on all actions, except on the "user 
happiness" reporting action ©. In terms of testing theory ||71, process s is tested with test u. It can be 
computed, by means of the probability theory, that the probability with which the user has guessed the 
machine choice is ^. That is, the probability of a © action being reported is i. However, most of the 
existing approaches for probabilistic testing, in particular probabilistic may /must testing |[8l [T9ll28l[30l 

'As shown in II26I the process semantics based on ITS! and (7] coincide for a broad class of processes. 
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Figure 1 : Processes s and s are distinguished in probabilistic may/must testing theory 



[32l . do not give this answer. In order to compute the probabiUty of © being reported, the approaches 
in |l8l[T9l|28l[30l|32l use schedulers to resolve the action choice. These schedulers are taken very general 
and they are given the power to have insight into the internal structure of the synchronized process. 
Consider the synchronization s \\ u represented by the graph in Fig. [T] where actions are hidden after 
they have synchronized. A scheduler resolves the choices of actions in the two states reachable in one 
probabilistic step from the initial state of the graph s \\ u, thus yielding a fully probabilistic system. For 
5 II M in Fig. [H there are four possible schedulers. They yield the following set of probabilities with 
which s passes the test u: {0, 5,1}. We can see that, because the power of the schedulers is unrestricted, 
nonviable upper and lower bounds for the probability are obtained. Observe that this happens due to the 
effect of "cloning" the action choice of h and t (the choice between h and t has been "cloned" in both 
futures after the probabilistic choice ins \\ u), and allowing a scheduler to schedule differently in the two 
"clones". This, in fact, corresponds to a model where the user is given power to see the result of the 
probabilistic choice made by the machine before she makes her guess. However, this is not the model we 
had initially in mind when the separate components, the machine and the user, were specified. 

Consider now process s in Fig. [T] To the user this process may as well represent the behaviour of the 
machine - the user cannot see whether the machine makes the choice before or after making the "head 
or tail" offers. According to the user, the machine acts as specified as long as she is able to guess the 
result in half of the cases. In fact, both schedulers, obtained by methods in |l8l[l9j|28l[30l[32l, when 
applied to 5 || m yield exactly probability ^ of reporting action ©. Consequently, none of the approaches 
in |[8][l9l|28l|30l|32l equate processes s and s: when tested with test u, they produce different bounds for 
the probabilities of reporting ©. On the other hand, if the probabilities are ignored and the probabilistic 
choice is treated as an internal choice, processes s and 5^ are equivalent by the testing equivalence of Q. 

Being able to equate s and >f means allowing distribution of external choice over internal probabilistic 
choice |[T8l . Actually, distribution of external choice over internal choice is closely related to distribution 
of action prefix over internal choice. If distribution of external choice over internal probabilistic choice 
is not allowed, then distribution of action prefix over internal probabilistic choice is questioned too, 
otherwise the congruence properties of asynchronous or concurrent parallel composition lilSj (where 
processes synchronize on their common actions while interleave on the other actions) would not hold. 
For instance, we would not be able to equate processes e.a.{b®i c) and e.{{a.b)®i {a.c)). (The operator 
"." stands for prefixing and the operator "©" stands for a probabilistic choice.) Running each of these 
two processes concurrently with process e.d, yield processes that, unless distribution of external choice 
over internal probabilistic choice is allowed, cannot be equated. If we are not able to relate processes 
that differ only in the moment internal probabilistic choice is resolved, before or after an action execution 
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(in other words, if we do not allow distribution of action prefix over internal probabilistic choice), then 
for verification we can only rely on equivalences that inspect the internal structure of processes, as 
bisimulations and simulations I15ll . 

Motivated by the previous observations, in |[T2l we propose a testing preorder which can deal with 
this problem. According to this testing semantics, the probability with which process s passes test u 
(Fig-IB is exactly ^. The model considered in | 1T2| is rather general and allows probabilistic as well as 
internal non-deterministic choice, in addition to action choice. Moreover, the testing preorder is given a 
characterization in terms of a probabilistic ready-trace preorder (a ready-trace is an alternating sequence 
of "action menus" and executed actions). From this characterization it follows that the underlying equiv- 
alence equates processes s and s. 

Since the tests in the model of fill have internal transitions, in general, infinitely many tests need to 
be considered to determine equivalence between two finite processes. Therefore, the decidability of the 
testing equivalence for the general model at the moment relies on the characterization of the equivalence 
in terms of ready-traces. However, in practice, if we aim at testing whether the system is equivalent to 
the model, we may not have access to the ready-traces and the internal transitions of the system that 
are necessary to establish the equivalence. It is, therefore, of practical interest to investigate for which 
type of systems there exists a procedure to decide testing equivalence based only on testing itself (see 
also |[T0l|23l[33l for similar discussions). 

In this paper we investigate decidability for systems of the testing equivalence of fT2\ for reactive 
probabilistic systems |!2T1, where all internal nondeterminism is due to random behaviour. We first point 
out that, under the condition that a test "knows" the current set of actions on which it can synchronize with 
the system (i.e. the menu of actions-candidates for synchronization), there exists a statistical procedure 
to estimate the result of testing a system with a given test. We then show that the set of tests necessary to 
determine equivalence of two finite systems is finite, from which the decidability result follows directly. 

More concretely, we prove that deterministic (i.e. non-probabilistic) tests suffice for distinguishing 
between finite processes. This result follows from the proof that the testing equivalence coincides with 
the probabilistic ready-trace equivalence. In this paper we also present the characterization proof, which 
is technically much more involved than the corresponding proof in |[T2ll . due to tests having "less power" 
than in i TTZl . From this characterization it also follows that the testing equivalence, when applied to 
the model of reactive probabilistic processes, preserves the previously mentioned desirable properties: 
it is insensitive to the exact moment of occuiTcnce of an internal probabilistic choice and it refines the 
equivalence for the non-probabilistic case proposed in 171. 



Structure of the paper In Sec. |2] we define some notions needed for the rest of the paper. In Sec. [3] 
we recall the definition of probabilistic ready trace equivalence from |iT2|. In Sec. |4] we define a testing 
equivalence for the reactive probabilistic processes. In Sec. [5] we prove that the equivalences defined in 
sections [3] and m coincide. In Sec. [6] we show the decidability results for the testing equivalence. Sec. |7] 
ends with discussion of related work, other than [il2il . and concluding remarks. 



2 Preliminaries 

We define some preliminary notions needed for the rest of the paper. 
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2.1 Bayesian probability 

For a set A, 2^ denotes its power-set. The following definitions are taken from |[22l . 

We consider a sample space, Q., consisting of points called elementary events. Selection of a partic- 
ular a G is referred to as an "a has occun^ed". An event is a set of elementary events. A,B,C range 
over events. An event A has occurred iff, for some a ^A, a has occun^ed. Let Ai , A2, ... be a sequence 
of events and C be an event. The members of the sequence are exclusive given C, if whenever C has 
occurred no two of them can occur together, that is, if A,- nAy nC = whenever / j. C is called a 
conditioning event. If the conditioning event is Q., then "given Q." is omitted. 

For certain pairs of events A and B, a real number P{A\B) is defined and called the probability of A 
given B. These numbers satisfy the following axioms: 

Al: 0</'(A|B) < 1 and/'(A|A) = 1. 

A2: If the events in {A,};ii are exclusive given B, then P(U~ jA,- | B) = ZT=i PiM^)- 
A3: P{C\AnB)-P{A\B) = P{AnC\B). 

For P(A|n) we simply write P{A). 

2.2 Probabilistic transition systems 

In a probabiUstic transition system (PTS) there are two types of transitions, viz. action and probabilistic 
transitions; a state can either perform action transitions only (action state) or (unobservable) probabilistic 
transitions only (probabilistic state). To simplify, we assume that probabilistic transitions lead to action 
states. In action states the choice is between a set of actions, but once the action is chosen, the next state 
is determined. The outgoing transitions of a probabilistic state s define probability over the power-set of 
the set of action states. 

We give a formal definition of a PTS. Presuppose a finite set of actions £/. 

Definition 2.1 (Probabilistic Transition System (PTS)) A PTS is a tuple ^ = {Sn,Sp,^,—^), where 

• S„ and Sp are finite disjoint sets of action and probabilistic states, resp., 

• ^> C S„ X i2/ X S„ USp is an action transition relation such that {s,a,t) € — > and {s,a,t') € — > 
implies t = t', and 

• — C S p X (0, 1] X Sn is a probabilistic transition relation such that, for all s G Sp, T,[s,7c.t)e—* ^ = 1- 

We denote Sn USp by S. We write s t rather than {s,a,t) G — >, and s t rather than {s,K,t) G 
(or 5 — ? if the value of 7i is irrelevant in the context). We write 5 A to denote that there exists an 
action transition s s' for some s' G 5. We agree that a state without outgoing transitions belongs to 5„. 
Given a process s and action a G £/, denote by Sa the process, if it exists, for which s — > Sa- Given a PTS 
= {Sn,Sp,—>, — ^), let /: 5,, iH> 2'^'^ be a function such that, for all a G i2^^,5 G 5,,, it holds a ^ I{s) iff 
s A. I{s) is called the menu of s. Intuitively, for s G S^, I{s) is the set of actions that the process s can 
perform initially. 

As standard, we define a process graph (or simply process) to be a state s £ S together with all states 
reachable from s, and the transitions between them. A process graph is usually named by its root state, 
in this case s. 



Sonja Georgievska and Suzana Andova 



103 



3 Probabilistic ready trace semantics 

In this section we recall the ready-ti^ace equivalence for reactive probabilistic processes defined in |[T2ll . 

Definition 3. 1 (Ready trace) A ready trace of length n is a sequence (Mi ,a\, M2 , ^2 > • • • > 1 , 1 , M„ ) 

where M, G 2'^ for all i {1,2, ... ,n} and a,- G M, for all i €z {1,2, ... ,n — 1} . 

We assume that the observer has the ability to observe the actions that the process performs, together with 
the menus out of which actions are chosen. Intuitively, a ready trace & = {Mi,ai ,M2,a2,. . ■ ,Mn-\,a„-i,M„) 
can be observed if the initial menu is Mi, then action ai G Mi is performed, then the next menu is M2, 
then action ^2 £ M2 is performed and so on, until the observing ends at a point when the menu is M„. 
It is essential that, since the probabilistic transitions are not observable, the observer cannot infer where 
exactly they happen in the ready trace. 

Clearly the probability of observing a ready ti"ace {{a,b},a,{c}) is conditioned on choosing the 
action a from the menu {a,b}. This suggests that, when defining probabilities on ready traces, the 
Bayesian definition of probability is more appropriate than the measure-theoretic definition that is usually 
taken. 

Next, given a process s, we define a process S(^M,a)- Intuitively, i'(M.a) is the process that s becomes, 
assuming that menu M was offered to s and action a was performed. 

Definition 3.2 Let s be a process graph. Let M C £/, a^M be such that I{s) = M if s G S„ or otherwise 
there exists a transition s — ■> s' such that I{s') = M. The process graph ^'(m q) is obtained from s in the 
following way: 

• ifs^ Sn then the root ofs^^f^^^,^ is the state s' such that s A s', and 

• ifs G Sp then a new state sim a) is created. Let 71 = T, "i Tli. For all s': such that s Sj A- s': 

' \ ■ J s--->SiJ{si)=M 

and I{si) = M: 

iti/n 

— if Sj /-^, then an edge si^M,a) ■^r created; 

r 11 • • I P' II 1 ^'•P>l^ II ■ 1 

— for all transitions s^ --^ s^ , an edge 5(m,<:!) created. 

Definition 3.3 Let [M\,ai,M2,a2,. • • ,Mn-\,an-\,Mr^ be a ready trace of length n and s be a process 
graph. Functions P} (M) and P" (M„ |Mi , a 1 , . . . M,;_ 1 ,a„-i) (for n> I) are defined in the following way: 



P}{M) 



'I^..^^,7r-P;(M) ifseSp, 

< 1 ifseSn, I{s)=M, 

otherwise. 

{Pl (M2) ifPliMi)>0, 
p2(M2|Mi,fli) = <^ ^'">"i'^ 2; J .1 U , 
I undefined otherwise . 

|^"i,,(^«l^2,a2,...,M„_i,a„_i) /7P/(Mi) >0, 

^undefined otherwise. 



P; (M„ |Mi , a 1 , . . . , M„_ 1 , an- 1 ; 



Let the sample space consist of all possible menus and s ^ S. Function P} (M) can be interpreted 
as the probability that the menu M is observed initially when process s starts executing. Let the sample 
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space consist of all ready traces of length n and let s ^ S. The function P"{M„\Mi,ai, . . .M,j_i,a„_i) can 
be interpreted as the probability of the event {{Mi,ai, . . . ,M„_i,a„_i,M„)}, given the event 
{{Mi,ai , . . .M„_i,a„_i ,X) : X £ 2-^}, if observing ready traces of process s. It can be checked that these 
probabilities are well defined, i.e., they satisfy the axioms A1-A3 of Section|2l 

Definition 3.4 (Probabilistic ready trace equivalence) Two processes s and s are probabilistically ready 
trace equivalent, notation s s, iff: 

• for all M in 2-^, P} (M) = Pi (M) and 

• for all n > 1, P"{M„\M\,ai, . . .Mn^i,a„^i) is defined if and only if P"{M„\Mi,ai, .. .M„^i,an^i) 
is defined, and in case they are both defined, they are equal. 

Informally, two processes s and s are ready-trace equivalent iff for every n and every ready trace 
{M\,a\,M2,a2, . . -Mn), the probability to observe M„, under condition that previously the sequence 
{Mi,a\,M2,a2, ■ . .a^^i) was observed, is defined at the same time for both s and s; moreover, in case 
both probabilities are defined, they coincide. Note that it is straightforward to construct a testing scenario 
in the lines of OUTSl for this ready-trace equivalence. Namely, in lITSl a ready trace machine is described, 
that allows for the ready traces to be observed. To estimatei\ the conditional probabilities of the ready 
traces of length n, only basic statistical analysis needs to be applied to the set of all ready traces obtained 
from the ready-trace machine. 

Example For processes s and s in Fig. [T]it holds s s. 

4 Testing equivalence 

In this section we define a testing equivalence in the style of 17J for reactive probabilistic processes. 

Recall that a division of two polynomials is called a rational function. For example, is a rational 
function with arguments x and y. A possible domain for this function is (0,°°) x (0,°°). We exploit 
a subset ^ of the rational functions whose argument names belong to the action labels £/, which is 
generated by the following grammar: 

II I I <P 

<p ::= a I £? I (p + (p I <p • <p I — , 

where o: is a non-negative scalar, a € £/, and +, •, and 7 are ordinary algebraic addition, multiplication 
and fraction, resp. Brackets are used in the standard way to change the priority of the operators. For 
our purposes, we assume that the arguments a,b,... can only take positive values, i.e. the domain of 
every function in ^ is (0,oo)'\ where n is the size of the action set. Therefore, two rational functions in 
^ are equal iff they can be transformed to equal terms using the standard transformations that preserve 
equivalence (e.g. for a,b e , \ ■ ^ + ^ ■ ^ = = ^). 

A test T, as standard, is a finite process H such that, for a symbol (o there may exist transitions 
s for some states s of T, denoting success. Denote the set of all tests by ^. Next, we define the result 
of testing a process with a given test. The informal explanation follows afterwards. 

^We emphasize the word "estimate", as it is common knowledge that statistics provides only estimations of the probabilities 
(22) 

^For now we restrict to non-recursive tests, as the characterization proof in Sec.|5]is already involved; however, it is not 
uncommon to restrict to non-recursive tests in probabilistic testing initially, for the sake of clear presentation (see e.g. ||8]|9|). 
In fact, usually recursive tests do not increase the distinguishing power of the finite tests II17II30II33I , since infinite paths in tests 
cannot report success. 
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Definition 4.1 The function R: 5 x ^ i— > ^ that gives the result of testing a process s with a test T is 
defined as follows. ■ 

rj.. I lie/ ■ R('5m T), ifs - A Si for ieI,T ^ 

Y,iei ■ ^{s, Ti), ifT --^ Tifor i el,s /-^ 

X"'^KY;;^^i^a,Ta), forK=I{s)nl{T), otherwise. 

As usual, the result of testing a process with a success test is 1. The result of testing a process with a 
probabilistic state as a root (i.e. initially probabilistic process) is a weighted sum of the results of testing 
the subsequent processes with the same test. Similarly when the test is initially probabilistic. Non- 
standard, however, is in the result of testing a process s with a test T that can initially perform actions 
from £/ only. Namely, when the process and the test synchronize on an action, the resulting transition is 
labeled with a "weighting factor", containing information about the way this synchi^onization happened. 
This information has form of a rational function, the numerator of which represents the synchronized 
action itself, while the denominator is the sum of the common initial actions of s and T, i.e., all actions 
on which s and T could have synchronized at the current step. In order to compute the final result of the 
testing, the rational function is temporarily treated as "symbolic" probability. The final result is again a 
rational function in ^. 

For example, it is easy to compute that the result of testing either s or s with u (given in Fig. [T]) 
is equal to i, which establishes one of our goals set in Sec. [T] However, in many cases the result is a 
non-scalar rational function. 

Definition 4.2 Two processes s and s are testing equivalent, notation s s, iff R{s, T) and R{s, T) are 
equal functions for every test T. 

Obviously, comparing two results boils down to comparing two polynomials, after both rational functions 
have been transformed to equal denominators. 

Remark In [il2il . in order to keep the probabilities in a composed system, the actions resulting from 
synchronization have a label containing information about the present and the history of synchronization 
- i.e. a sequence of previous menus of actions-candidates for synchronizing and the actual synchronized 
actions. This is because (i) we would like to denote that both choices in s\\u (Fig. [T]) are resolved 
in the same way and (ii) the history of resolution of choices, as usual, can play a role in the current 
resolution. In the present paper one of our main goals is to prove that the testing equivalence coincides 
with the ready-trace equivalence for the model of reactive probabilistic processes|j It turns out that, in 
order to achieve this goal, we can simplify the notation for the label of a synchronized action. Here 
the label of a resulting synchronized action contains only information about the current circumstances of 
synchronization in the form of a rational expression and the result of testing remains a rational expression. 
(The rational function is a suitable form of "remembering" the information, because "in the world of 
rational expressions" commutativity and distributivity laws hold, analogous to those we try to achieve 
"in the world of processes".) Besides simplifying the notation, this labeling enables us to present the 
proof of Theorem l5.2l (Sec. [5l) in a much more concise way. 



*In the setting without internal nondeterminism, preorder relations become superfluous, since in 1121 . as usual, a process 
implements another one iff the former contains less internal nondeterminism 
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5 Relationship between « and «^ 

We establish our main result, namely that the testing equivalence coincides with the probabilistic 
ready-trace equivalence fa^. In |[T2l . given that two processes are not ready-trace equivalent, we provide 
a procedure on how to construct a test that distinguishes between the processes. The procedure heavily 
relies on the fact that tests can perform internal transitions (which can be manipulated based on the 
synchronization history). In the present case, the internal transitions of the tests, as those of the processes, 
are fully random (both the tests and the processes belong to the same model, in the spirit of Q). Because 
of this, the present characterization proof is rather based on contradiction and is much more technically 
involved. 

As an intermediate result, we prove that the probabilistic transitions do not add distinguishing power 
to the tests. 

The following lemma, which considers the determinant of a certain type of an almost-triangular 
matrix, shall be needed in the proof of Theorem 15. 2 1 

Lemma 5.1 Let Qbe a square nxn matrix with elements q^j, for I <i <n and I < j <n. Suppose q^j G 
{0,1} for i > I, qtj =\ fori = j+l, qij = Ofor i> j+l, and qij = ^for I < j <n, where QuQi-Q,, 
are irreducible, mutually prime polynomials with positive variables, and of non-zero degrees. Then the 
determinant ofQ is a non-zero rational function. 

Proof The determinant Det(Q) of matrix Q can be obtained from the general recursive formula Det(Q) = 
T!j=i (~ l)^^^'?iiDet(Qij), where Qij is the matrix obtained by deleting the first row and the j'-th column 
of Q. Observe that Qi„ is an upper-triangular matrix, the diagonal elements of which are all equal to 
one. Since the determinant of a triangular matrix is equal to the product of its diagonal elements, we 
have Det(Qin) = 1. Therefore, the coefficient in front of the rational function ^ in Det(Q) is equal to 
1. Suppose Det(Q) is a zero-function. Then, the rational function ^ is equal to a linear combination 

of ^1 • • • Q~- This means that the rational function Q' Q^ - Q"-^ is a polynomial. The last is impossi- 
ble, since, by assumption, the denominator is an ineducible polynomial of non-zero degree and is not 
contained in the numerator. Therefore, Det(Q) is not a zero-function. 

Theorem 5.2 Let s and t be two processes such that s^^t. There exists a test T that has no probabilistic 
transitions such that R{s,T) ^ R{t,T). 

Proof We prove the theorem by induction on the minimal length m of a ready-trace that distinguishes 
between s and t. For m = 1, we prove that the test T = Y.ai^M'^-^^ where M is a menu with a minimal 
possible number of actions such that P} (M) ^ P/ (M), distinguishes between s and t. For m > 1 the proof 
goes as follows. If P/ (M) = P/ (M) for every menu M, then by the inductive assumption it follows that 
there exists a test T\, menu M\ and action a\ € Mi such that R{s[Mi.ai)^T\) ^ R(f(^j qjJjPi). We show 
that there exists a subset of the action set, say Act, such that the test T = a\.Ti +L/5GAct^-<^ distinguishes 
between s and t. To prove this, we take M\ to be the menu containing a minimal possible number of 
actions such that P}{Mi) > 0, ai € Mi, and R{s(^Mi,ai)iTi) / R(f(Mi.ai)) ^i)- Then we take the set Act' to 
consist of the actions that can be initially performed by s but do not belong to menu Mi . Then, we show 
that there must exist a subset Act of Act' such that the test T = a\ .T\ +Y.behct^-0^ distinguishes between 
s and t (otherwise, we obtain that R(5'(^j qjJjPi) = R{tf^Muai)^'^^)^ which contradicts our assumption). 
We now proceed with a detailed presentation of the proof. 

From s T^ifft and by Def. I3.4[ there must exist a ready-trace {M\,a\ , . . .M,„) such that 
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) / Pf" i^m Wi , a 1 , . . . a,,,- 1 ) . The proof is by induction on m. 

Case 1 (m = 1) Suppose first tiiat tiiere exists a menu M such tiiat P}{M) / P}{M). Let M be a 
menu with a minimal possible number of actions such that Pl{M) ^ P}{M). Take T = Y,a<^M^-^- We 
have R{s, T) = \ — Y^m'cm^} (^')' because the actions of s and T will fail to synchronize if and only if 
the random choice decides that menu M or some menu M' C M is offered to process s initially. Sim- 
ilarly, R{t,T) = 1 -Im'cm^/(^')- Now, suppose that R{s,T) = R{t,T). We have Im'cm^sH^O = 
Em'cm^/ (M'). From this and P} (M) ^ P} (M), it follows that there exists a menu M' CM such that also 
Pj {M') 7^ P/ (M'). But this contradicts the assumption that M is a menu with a minimal possible number 
of actions such that P} (M) / P} (M). 

Case 2 {m > 1) Suppose now that P}{M) = P}{M) for every menu M. Let (Mi,ai , . . .M„,) be a 
ready-trace such that (M„,|Mi,ai, . . .a„,_i) / P/"(M„,|Mi,ai, . . .a„,_i). FromP/(Mi) =P/(Mi), and 
from Definitions [l2 and O it follows that P;|'^ \ ^ {M^ |M2 , 02 , ■ • • 1 ) / ^^^^ J,^ , (Mm IM2 , a2 , ■ • • 1 ) 
(in case m = 2, P}^^ ^(^2) 7^ ^{^2))- Now, by the inductive assumption, there exists a non- 
probabihstic test Ti such that R{s(^Mi,ai),Ti) / R(f(Mi,„i)'^i)- 

Case 2.1 Suppose first that ai does not belong to any first-level menu of s other than Mi , i.e. that for 
every menu M, P} (M) > and ai G M implies M = Mi. Then the test T = ai.Ti distinguishes between 
s and t. 

Case 2.2 Suppose now that ai belongs to at least one first-level menu of s other than Mi, i.e. there 
exists at least one menu M ^ Mi such that P}{M) > and ai £ M. Without loss of generality, as- 
sume that Ml is a menu with a minimal possible number of actions such that Pj {Mi) > 0, ai € Mi, and 
7^ R(^(Mi,ai)i ^i)- Let {bj}j(^j be the set of actions that appear in the first level of s (and 
therefore t) but not in Mi, i.e. b € {bj}jej if and only if b ^ Mi and there exists a menu M such that 
P}{M) >0, b CM. We shall prove that there exists f C J such that the test T = ai.Ti +'Ljej'bj-(0 
distinguishes between s and t. More concretely, we shall prove that, assuming the opposite, it follows 
that R(5(M|,ai))7i) = R(^(Mi,ai))7'i)> thus obtaining contradiction. 

Case 2.2.a Suppose first that {bj}j^j = 0. This means that there are no actions other than those in 
Ml , that appear in the first level of s. Therefore, all menus M for which P,' (M) > satisfy M C Mi. We 
prove that the test T = ai .Ti distinguishes between s and t. Assume that R(i, P) = R{t, T). From the last 
and from Def . 14.11 we obtain 

L {KHM,„),Ti)-^{t(M,„),Ti))=0. (1) 

M:P,l(M)>0,«ieMCMi 

By assumption, for every M C Mi such that ai G M it holds R(i'(M,ai)i^i) = R(f{M,fli))^i)- Therefore, 
from O we obtain R{s[Mx,ai)^T\) = R(f(^j ^j), Pi), which contradicts the assumption R{s[Mx,ai)^P\) 

Case 2.2.b Suppose now that {bj}j^j ^ 0. Given action bj € {bj\j^j, denote by the set of all 
first-level menus of s that contain bi and ai, i.e. M G iff P\ (M) > and bi,ai € M; denote by 
the set of all first-level menus of s that do not contain bi but have ai, i.e. M € iff P] (M) > 0, bi ^ M 
and ai € M. 
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Let T = ai.Ti + Y,jeJ'^j-^ some J' = {1,2,... n} C J and suppose R{s,T) = R{t,T). Since 
P} (M) = P/ (M) for every menu M, observe that only if action ai is performed initially, it is possible for 
the test T = ai.Ti + Y.jeJ'^j-^ ^ make a difference between s and t. Because of this and by Definitions 
O and [321 it follows that 

^P/(M)GT(M)+ £ ^L^pi(M)CT(M) + -.. 



+ I —-4^Plmm{M) = o, (2) 

where by GJ(M) we denote R{s(^M,ai — R(?(M.ai ) 1 ) • Each intersection appearing under the ^-operators 
of ^ can be mapped bijectively to a binary number of n digits - the i-th digit being if the intersection 
contains and 1 if the intersection contains (For reasons that will become clear later, 

the order of the indexing is reversed.) 

Suppose R{s,T) = R{t,T) for every test T = ai.T\ + Y,jej'bj.(0, where / C /. We shall prove that, 
in this case, every sum ^ ttT(M) that appears in Q when /' = 7 is equal to a zero-function. In particular, 
the equality 

L rar(^) = (3) 

will hold. Note that the set {^j^j^f contains all first-level menus of s that have the action a\ but 
do not have any other action that does not appear in M\. Therefore, C\jeJ-^f consists of the sub- 
sets of Ml that contain a\. Thus, the equation ^ is equivalent to the equation ([T]) which leads to 
R{s(^Mi.ai)^T\) = R(f(^j aj^jTi), i.e. to contradiction. This would complete the proof of the theorem. 

We now proceed with proving the above stated claim. We prove a more general result, namely that 
for /' C /, under assumption that R{s, T) = R{t, T) for every test T = a\.T\+ Y,ieJ"^i-^ such that J" C / 
and |/"| < it holds that every sum £GT(M) that appears in ^ is equal to zero. 

Suppose first that = 1, i.e. J' = {1}. Assume that 

R{s,ai.T^) = R{t,ai.T^) (4) 

and 

R{s,ai.Ti+bi.(o) = R{t,ai.Ti+bx.(o). (5) 
From ©, Def. gJl and because P} (M) = P} (M) for every menu M, we obtain 

£ '^Pl{M){R{sf^M,a,)Jl)-^{t(M,a,),Tl))=^- (6) 

The equation Q turns into 

£ ^P}{M)m{M)+ £ ^L^p;(M)GJ(M) = 0. (7) 
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Denote £^g^cPj(M)etT(M) by xq and Lmg^i Pa{M)GJ{M) by xy. Our goal is to show that xq =0 and 
;ci = 0, i.e. that they are zero-functions. From ^ and ([7]) we obtain the system of equations for the 
unknowns xq and xi 

Qix = 0, 

where 

Q.= (f ^),x=(^«;),a„dO=(°). 

Since the determinant of the matrix Qi is not a zero-function, it follows that xq = and xi = is the only 
solution of the system. 

To present a better intuition on the proof in the general case, we shall also consider separately the 
case |7'| = 2. Let 7' = {1,2} and assume that R(5', T) = R{t, T) for every test T = a\.T\ +Y,ieJ"^i-^ svic\^ 
that J" C / and \J"\ <\J'\. The equation © turns into 



«1 d1 



. ai 



pl{M)m{M)+ £ 



ai +bi 



P}{M)U5{M) 



+ 



a\ +b2 



p}{M)m{M)+ £ 



ai 



a\ +b\+b2 



Pl{M)m{M)=0. 



(8) 



Denoting ^^g^Cp^c/'/(M)?tT(M) by xqo and so on, ^ turns into 



-■^00 ■ 



*2 ' 1 



ai 



ai 



ai + b\ a\+ b2 ai+bi+ b2 



-xn =0. 



(9) 



From ^^g^cP/(M)iJ7(M) = we obtain xqo+xqi = 0, and from LMe.,#2^/(^)*^(^) = we obtain 
JCio +^11 = 0- Similai'ly, from Lmg.^i P} {M)U]{M) = we obtain that xqi +xii =0. Therefore, we have 
the system Q2X = 0, where 



at 



/ £i "1 
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1 
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By Lemma EU Det(Q2) is not a zero-function, which implies that the vector of zero-functions is the 
only solution of the above system of equations. 

We now present how each matrix Qn+i can be obtained from the matrix Qn. 
In general, for G it holds 

£ P/(M)GT(M)+ £ P}{M)m{M)= £ Pl{M)m{M). (10) 

Me(n;Li^On.^„+, Me(nLi-^*)n^<f+i MeCRLi-O 

This means that, in the general case, each solution x,-,,-^. ,„ = of the system QnX = generates the 
following equations for the next system: 
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for every <k <n. Note that each row of Q2, except the first one, contains exactly two I's, at positions 
whose binary representations differ in exactly one place. 

Informally, the general algorithm for obtaining the elements q'^^^ of a 2"+^ x 2"+^ matrix Q„+i from 
matrix Q„, assuming Q„ is non-singular, is as follows. First, initialize all elements of Q„+i to zero. Then, 
copy Q„ into the upper left corner of Q„+i. Then, copy Q„, excluding the first row, into the lower right 
comer of Q,i+i. Then, assign 1 to ql^_^_y for / = 2" + 1 and j G {2", 2"+^}. Finally, add the appropriate 
new rational fractions in the second half of the first row of Q„+i . The key observation is that in this way, 
we obtain again a matrix such that each row, except the first one, contains exactly two 1 's, at positions 
whose binary representations differ in exactly one place. Formally, 



d^ 



d' 







if 1 </<2"and7<2", 
if / = 2" + l andjG {2",2"+i}, 
if 2" + 1< / and 2" < j, 
if /= l,j>2", 
and^«(^--^"'- - 
otherwise. 



Assuming matrix Q„ satisfies the conditions of Lemma [STT] it easily follows that matrix Q„+i also satis- 
fies the conditions of Lemma [5?T] Therefore, its determinant is not a zero function. This means that the 
system Q„+iX = has only zero-functions as solutions, which we were aiming to prove. Therefore, the 
proof of the theorem is complete. 



Theorem 5.3 Let s and t be two processes. Ifs^^ t then s t. 
Proof Straightforward: see |[T3l . 

From Theorems l5.3l and l5.2l the following statements directly follow. 



Theorem 5.4 For arbitrary processes s and t, s^^yt if and only ifs'^fft. 

Theorem 5.5 For arbitrary processes s and t, s'^^j- 1 if and only if there exists a test T without proba- 
bilistic transitions such that R{s,T) ^ R(?,r). 

Remark It is interesting to note that, while in the non-probabilistic case the may/must testing equiv- 
alence can be characterized with the failure equivalence |[26l . in the probabilistic case we obtain a bit 
finer characterization. However, this is not unusual in the probabilistic case, due to the "effect" of the 
probabilities - e.g. the same phenomenon appears also in the fully probabilistic case |[27l . 



6 Testing systems and decidability 

In this section we outline how testing can be applied to systems for which only partial information may 
be known, and we show that the testing equivalence is decidable for finite systems or up to a certain 
depth of the systems. 

So far we have discussed testing "processes", i.e. models of systems. In practice, to test a system with 
a given test, the probabilistic transitions of the system need not be known. Namely, assume that when 
the system and the test ai^e ready to synchronize on an action, the test can "see" the actions-candidates 
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for synchronization. If the system is tested with the test exhausting all possible ways of synchronization 
and sufficiently many times, then the result shall be a set of rational functions without scalars; a standard 
statistical analysis will give an estimation of the probability distribution over the rational functions. (A 
detailed description of the procedure is beyond the goals of the current paper.) Two systems would not 
be distinguished under a given test iff the resulting distributions are the same. The assumption that the 
test can see the actions-candidates for synchronization, on the other hand, corresponds to the user (e.g. u 
in Fig. [T]) being able to see the menu that the machine (e.g. s in Fig. [D offers. Indeed, this assumption 
does not exist in the standard non-probabilistic testing theory Q. However, in real-life systems this is not 
unusual. Moreover, this assumption is mild with respect to the probabilistic may/must testing approaches 
discussed in Sec. [H where one needs to have insight into the internal structure of the composed system 
in order to determine the possible schedulers. 

From Theorem 15.51 it follows that non-probabilistic, i.e. deterministic tests suffice to distinguish 
between two processes. Therefore, since the action set is finite, an algorithm for deciding equivalence on 
finite processes, or up to a certain length, can be easily constructed. Namely, in this case the characteristic 
set of tests of a given length is finite. In case the length of the processes is unknown, the procedure stops 
when, for a certain length of the tests, the testing yields result for every test of that length and every 
tested process (meaning that the maximal length of the processes has been exceeded). 

Proposition 6.1 There exists an algorithm that decides for finite processes. 



7 Related work and conclusion 

There is a plethora of equivalences defined on probabilistic processes in the last two decades (e.g. ||3]|5l 
|6l[l0l[Il]|2Tl|25l|29l|32l). However, we think that closely related to ours are the research reports that face 
the challenge of allowing unobservability of the internal probabilistic choice, but still not allowing more 
identifications than the standard must-testing fTlfTTl. if probabilistic choice is treated as a kind of internal 
choice Ifl 

Testing equivalences in the style of Q for processes with external choice and internal probabilistic 
choice, that allow unobservability of the probabilistic choice, i.e. distribution of prefix over probabilistic 
choice, have been also defined in |[T]l2ll221- Of these, only J2]], under certain conditions, equate processes 
s and s of Fig. [T] In [2l process states are enriched with labels, and a testing equivalence is defined by 
means of schedulers that synchronize with processes on the labels. While in our work processes s and s 
in Fig. [T]are equivalent, in 121 these two processes can be equated iff the labeling is right. 

Probabilistic equivalences in ready-trace style have been defined in ll24l and |[T6l . also for processes 
where the internal nondeterminism has been quantified with probabilities. However, in contrast to our 
approach, these definitions do not imply testing scenarios that can characterize the equivalences, as the 
one given in |[T5l for the non-probabilistic ready-trace equivalence. 

Other equivalences, that also allow distributivity of prefix over probabilistic choice, but are not 
closely related to ours, include trace-style equivalences ( ||3]lll[II]|29j|3T|) and button-pushing testing 
equivalences ( |[20l . |[23l ). Of these, only |[3TI . ifTTI and |[23l also allow distribution of external choice 
over probabilistic choice. However, in these approaches the environment is not a process itself, but 
rather a sequence of actions. In other words, their motivation does not include sensitivity to deadlock 



^See 1151 for the properties that the must-testing equivalence preserves, but are not preserved by a (completed) trace equiv- 
alence. 
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and branching structure - e.g. they also identify processes c.a ©_i c.b and c.{a + b)®\_c ("+" being the 
operator for external choice). 

The present paper is also related to the newer research in ||2l|4l[l4l, in the sense that it restricts the 
power of the schedulers that resolve the nondeterminism in a parallel composition. Contrary to ll2ll4l[T4l. 
the "schedulers" in the present paper do not use information about the state in which a process is. We 
believe that this approach is more appropriate when defining a testing equivalence on processes, as it is 
closer in nature to the work in Q. 

Finally, so far, none of the proposals of testing equivalences in the style of UTJ for probabilistic 
processes having "external nondeterminism" deal with the problem of deciding equivalence based on 
the testing semantics itself. We refer the reader also to [33l for a survey of the testing equivalences on 
probabilistic processes and decidability results. 

To conclude, we have proposed a testing equivalence in the style of 1|7| for processes where the inter- 
nal nondeterminism is quantified with probabilities (e.g. II21II23II ). We showed that it can be characterized 
as a probabilistic ready-trace equivalence. From the characterization it follows that: (i) the testing equiv- 
alence is insensitive to the exact moment of occurrence of an internal probabilistic choice, (ii) it equates 
no more processes than the equivalence of |lZ| when probabilities ai^e not treated, and (iii) a decidability 
procedure exists for determining if two finite processes are testing equivalent, or if two infinite processes 
are testing equivalent up to a certain depth. Moreover, the testing semantics provides a way to compute 
the testing outcomes in practice, without requiring access to the internal structure of the system other 
than the actions-candidates for synchronization between the system and the test. To our knowledge, this 
is the first equivalence that accomplishes all of the above stated goals. 
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